When drones attack: How drones can infiltrate secure networks remotely using a very little known vulnerability in very common peripherals.
WARNING! The actions described in this post would be illegal. This post is for educational purposes only and no responsibility will be taken should you even think its a good idea to try this for anything malicious!I have made the code available through my GitHub profile here. I also have the pre-configured hardware available with a download link to the code, to purchase through my online store here.
I was surfing through YouTube recently, checking out some of the latest videos relating to cyber security and penetration testing when one particular video caught my attention.
The video (embedded below), explained of using an ordinary, consumer drone fitted with an IoT device such as a RaspberryPI Zero and cheap NRF24L 2.4gHz transceiver to bypass physical access limitations to an enterprises network infrastructure and “inject” malicious code through a widely un-thought of culprit, your wireless keyboard or mouse.
So it turns out that many consumer keyboards and mice sold, including those from big brands such as Logitech and Microsoft, utilise this NRF24L chip to facilitate the communications between keyboard, mouse and computer. Now while it is not uncommon for different tech companies to use similar or even the same chips in their devices, the problem stems from the fact that this very common chip has a very big weakness.
When your keyboard or mouse connects to the little receiver dongle in the back of your PC, they each identify themselves with what is called a MAC address. This address is unique to each device and consists of 5 octets of hexadecimal values like this: 0A:00:AA:12:BC. under normal use conditions, the receiver is paired to the keyboard and/or mouse by this MAC address and will only accept inputs from those particular devices, ignoring all other signals that may be present.
Well some very smart hackers, very quickly worked out that there was no encryption being used to secure these wireless communications and knew that with some very cheap hardware, they could potentially exploit the wireless receiver by “spoofing” or pretending to use the same MAC address as the keyboard or mouse in order to transmit data to the receiver as key injection strokes, delivering commands directly to the target computer, often so fast that the user was completely unaware of anything having happened. Another important fact to note about this attack is that because it appears as if the user initiated the commands from the keyboard, anti-virus software was virtually useless in preventing the attack.
Just to be straight, these transceivers often have extremely short ranges of 3 to 10 metres and while it would be possible to carry a small IoT device, powered from a battery to accomplish this exploit, practicality says that its very unlikely that you’ll ever find yourself close enough to a target computer or network to execute it unless you work for the enterprise that is being targeted.
Let’s imagine that I’ve been contracted by XYZ Corporation to infiltrate the network of ABC Inc. My goal is to gain access to their internal network so that XYZ Corporation can steal propriety design information for ABC Inc’s. newest product.
Now ABC Inc. work out of a secure high rise building in the central business district. I knew gaining physical access to their building was going to be a challenge, they had tight security measures in place including guards and swipe cards for door access. ABC Inc’s. systems administrator was also very security conscious and had decided that WiFi was far too insecure for the types of data that ABC Inc. stored so implemented a 100% hard-wired network infrastructure within the building.
Despite knowing the difficulty, I still felt the only way to do this was to gain access to a computer in person. I tried every trick up my sleeve, but I was met only with failed attempts. I even considered causing a disturbance just to gain entry out of pure desperation. So I was resigned to the fact I can’t get into the building without causing some sort of disturbance or raising concerns about security. WiFi was out as there was none, however information I was given by XYZ Corporation, had indicated to me that ABC Inc. operate the majority of their IT infrastructure from the fifth floor of the building. That too posed additional access challenges.
However, one day, as I was sitting at a cafe just outside the building, sipping my coffee and watching the people coming in and out of ABC Inc., an idea sparked in my mind. What if I could gain access to their IT infrastructure without being physically present in the building? But wait! They don’t use Wireless networks, everything is cabled. So how could do it from the cafe? Then all of a sudden I heard an all too familiar buzzing sound above my head, a drone! Could this be the answer?
So I raced home and grabbed my trusty drone. I went back and flew it up to the fifth floor to perform some reconnaissance. I needed to know what my potential options were. Jackpot! I saw that ABC Inc. had provided their employees with wireless keyboards and mice at their terminals. I quickly remembered the vulnerabilities of the NRF24L chip commonly used in those devices, and how I could potentially gain access by injecting keystrokes through one of the wireless receivers and installing a back-door program to provide me with remote access. So I landed the drone and headed on back to my base to start formulating a possible attack.
Knowing that there’s the potential to inject keystrokes over the NRF24L protocol, I quickly grabbed an RF-Nano from my parts bin. Light-weight and requiring next to no power, it was perfect to attach to my drone so I could fly it up to the fifth floor, get within range and execute my attack. I uploaded a sketch containing my attack code written in DuckyScript. I then grabbed a USB power bank, charged up my drone and headed back to the cafe outside of the ABC Inc. building.
The attack would be a simple one, I’d fly my drone up and the Arduino would scan for the MAC addresses of keyboards and mice currently being used by people inside of the building. Once it had successfully located a signal it could use, it would “spoof” or mimic the MAC address of that keyboard or mouse, sending simple key commands to the host computer, installing a back-door access program into the terminal that would then provide me remote access to the rest of the network. Because the attack would appear like regular user inputs from the keyboard, anti-virus software and security policies were unlikely to detect or even alert the user to what was happening.
I got back to the cafe, setup my laptop, ready to confirm access then pulled my drone out of it’s bag. Using some rubber bands, I attached the RF-Nano to my drone, along with the small USB power bank. I plugged it all in and sent it up. Not wanting to look conspicuous, I let my drone hover near different windows on the fifth floor, trying to avoid keeping it in a single position for too long as I didn’t want it to be noticed or receive any sort of attention. Suddenly, after a few seconds, my laptop screen lit up to show my code had successfully been injected and executed into ABC Inc’s. network and I confirmed that I now had complete access to their network.
Knowing I had at that moment, achieved my goal and wanting to remain as invisible as possible, I headed back to my base, confident that my access should remain undetected for some time to come. I packed everything up and went back to my base to start gathering the information XYZ Corporation were paying me for.
It only took a few short seconds and I was in! Nobody even noticed the drone or would have known anything of what I had just done.
In closing, my advice is quite simple, wherever data integrity or security is of paramount importance, the only safe devices to use are the ones with cables! ABC Inc. had a completely hard-wired network so infiltration over WiFi was not an option, access to the building was secure and again, I could not have gained physical access without causing some sort of security concern or disturbance.
ABC Inc’s. IT and site security policies were extremely solid and well thought out. If it were not for their systems administrator being completely unaware of the vulnerabilities that the wireless keyboards and mice he had provided existed, this attack, this entire job may not have been successful. Complacency is a big issue when it comes to anything related to IT and cyber security. Many individuals and businesses alike will purchase and install hardware or peripherals, often completely unaware of the potential security vulnerabilities they have.
If privacy and data security are important to you or your organisation, it is always a good idea to speak with a professional in cyber security and conduct regular on-site audits of your hardware and software systems to ensure that potential security gaps are identified and subsequently patched.
The video below which was my inspiration for this post goes for about 15 minutes but is well worth the watch if you’ve ever wondered just how easy it could be for an attacker to gain entry to your network and devices.